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In The Claims 

The listing of claims will replace all prior versions, and listings, of claims in the 
application. 

. / 1. (Currently amended) A method of examining a network, including: 

2 identifying an operating system of a remote host based on communications with 

3 the remote host through the network, including identifying a version and a 

4 patch level of the operating system; 

5 identifying a service of the remote host based on the communicationSj with the 

6 r e mot e host through - tho network, including identifying a version and a 

7 patch level of the service; and 

S identifying a vulnerability of the network based on at least one of the identified 

9 operating system and the identified service, information obtained from th e 

10 steps of identifying an operating syst e m and identifying a scrvi e o r 

; 2. (Currently amended) The method of claim 1, wherein: 

2 the stop of identifying an operating system includes sending a first set of packets 

3 to the remote host and receiving a second set of packets from the remote 

4 host in response to the said first set of packets, and analyzing the second 

5 set of packets for inferential information indicative of the operating 

6 system; and 

7 the step of identifying a service includes sending a third set of packets to the 

8 remote host and receiving a fourth set of packets from the remote host in 

9 response to the said third set of packets, wherein information contained in 

10 the said third set of packets is based on information received in the said 

11 second set of packets, and analyzing the fourth set of packets for 

12 inferential information indicative of the service^ j-and 

1 3 the stop of id e ntifying a vulnerability includes comparing information containe d- 

14 in th e second aot of pack e ts and the fourth set of packets to preexisting 

15 vulnerability information in a database ? 
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7 3. (Currently amended) The method of claim 1, wherein the step of 

2 identifying an operating system includes sending three sets of packets to the remote host 

3 and receiving three respective sets of responsive packets from the remote host. 

/ 4. (Currently amended) A method of examining a network, including: 

2 nonintrusively identifying an operating system of a remote host including 

3 identifying a version of the operating system based on inferential 

4 information received from the remote hos t in headers of packets : and 

5 nonintrusively identifying a service of the remote host including identifying a 

6 version of the service based on the inferential information, received from- 

7 the remote host; 

/ 5. (Currently amended) The method of claim 4, further including: 

2 identifying a vulnerability of the network based on at least one of the identified^ 

3 operating system and the identified service . 

/ 6, (Currently amended) The method of claim 4, further including: 

2 identifying the identified service as a trojan application nn tf»> rgirmTP Vingt 

1 7. (Currently amended) The method of claim 4, further including: 

2 identifying the identi fied service as an unauthorized software use on the remote 

3 host. 

1 8. (Currently amended) The meihod of claim 4, further including: 

2 identifying a security policy violation v iolations on the network based on the 

3 inferential information . 

J 9. (Currently amended) The method of claim 4, wherein: 

2 t h e step of identifying an operating system further includes identifying a patch 

3 level of the operating system. »a»d 
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4 the atop of identifying a service farther inoh,^ i-,w;y ^ n ^ tc h l c v c I Qf ^ 



5 



4 



9 



serv i c e. 



/ 10. (Currently amended) The method of claim 4, wherein tho atcps-of 

2 identifying an operating system and identifying a service each includes: 

3 sending a test selected packet to the remote host: and 
receiving from the remote host a reflexive re sponsi ve packet containing at iwwHi 

5 Portion of t he inferential information. 

/ 11. (Canceled) 

/ 12. (Currently amended) The method of claim 4, wherein: 

2 thestop-ef identifying an operating system includes sending a first set of packets 

3 to the remote host and receiving a second set of packets from the remote 
host in response to the said first set of packets , the second set r.f p ar.i^ 
containing at least a portion of the inferential infr,™^^ 

the stop of identifying a service includes sending a third set of packets to the 

remote host and receiving a fourth set of packets from the remote host in 
response to die said third set of packets , the fourth set nf p a ^ir^tc 
9 containing aT least a norrin n of the inferential infhrmarinn 

1 13-18. (Canceled) 

' 19. (Currently amended) A method of examining a network, including: 

2 sending a set of test s e l e cted packets to a remote host on the networ k, at least part 
J of the first set of test packet s including header information to p gnerate a 

4 response from the remote host that varies lending ;mon a n ooeratinp 

5 . system and a service on the remote host- 

6 receiving from the remote host a set of reflexive fespefisive packets responsive to 

7 the test packets : and 

8 identifying conditions of the remote host by using inferential information received 
in the reflexive responsive packets, wherein the conditions include at least 
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10 one of Ifae operating system and the service on the » h ? y | 

11 operating oystom of the host, and a service; of the bom. 



/ 



/ 



20. (Original) The method of claim 19, wherein the conditions further include 



2 a vulnerability of the remote host 



21. (Original) The method of claim 19, wherein the conditions further include 



2 the presence of unauthorized software on the remote host 



22. (Original) The method of claim 1 9, wherein the conditions include the 
presence of a trojan application on the remote host. 



/ 23. (Previously presented) The method of claim 19, wherein: 

2 identifying an operating system includes identifying a version; and 

3 identifying a service includes identifying a version. 

1 24. (Previously presented) The method of claim 1 9, wherein: 

2 identifying an operating system includes identifying a version and a patch level; 

3 and 

4 identifying a service includes identifying a version and a patch level. 
/ 25. (Canceled) 

> 26. (Currently amended) A method of detecting a vulnerability of a network, 

2 comprising: 

3 sending a first set of test packets to a remote host on the network; 
receiving a first set of reflexive packets from the remote host in response to the 

first set of test packets, at least pan of the, fir * set of reflexive r »^t« 
including header information tha t j s unique ™ an operating svstem- 
7 inferring the operating system; 
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* sending a second set of test packets to the remote host; on tho network, wboroia- 

9 information contained in the first sot of test packets is bnsod on in fo icntiQl 

10 infor m a tion conta i ned Ui tho first sot of roflojcive paokc u,, 

11 receiving a second set of reflexive packets from the remote host in response to the 

12 second set of test packets , at least part of thft second set of refWiv» 

13 packets including header info rmation that is unique to a servirp- «r,H 

14 inferring the service. 

15 ba s e d on inferential infnnmntinn mut™^ j n T h r f j ^ , . r f 0 f r c fl ox i V ( - p ac l L U Lt 

16 id e ntifying an operating system of tho rcmoto host, including a version and 
W a patch level; and 

18 based on inferential information oontninori in thn r^n n ^ r f r c fl^civc paclc o t;, 

/P t dontifirinp a fmirinn nf th* rnnrntr, ^ far]^^ n v rn i o n m g jpq^ 

20 fevet 

/ 27. (Canceled) 

1 28. (Currently amended) The method of claim 26 2?, further including: 

2 b a se d on information contained in at le n rt the tonth scquo i itu, identifying a 

3 vulnerability based on at least one nf the inferred operating system and the 

4 inferred service . 

1 29. (Currently amended) The method of claim 26, wherein: 

2 the first set of test packets includes : 

3 a SYN Packet with false flag in the TCP option header; 

4 a Fragmented UPD packet with malformed header (any header 

5 inconsistency is sufficient), where the packet is 8K in size; 

5 a FIN Packets of a selected variable size or a FIN packet without the ACK 

7 or SVN flag properly set; and 

8 a generic, well-formed ICMP ECHO request packet; 

9 th e third set of packets includes: 

10 a generic well-formed TCP Header set to 1 024 bytes in size; 

11 a Packet requesting an ICMP Timestamp; 
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12 
13 



a Packet with min/max segment size set to a selected variable value; and 
a UPD packet with the fragment bit set; 

14 the fifth set of p nrl qyio iiicludu^. 

15 a TCP Packet with the header and options set inconectly; 

16 a well-formed ICMP Packet; 
a Fragmented TCP or UPD packet; 

a packet with an empty TCP window or a window set to zero; 
a generic TCP Packet with 8K of random data; and 
a SYN Packet with ACK and RST flags set 



17 
18 
19 
20 



' 30. (Previously presented) A method of examining a network, comprising: 

2 sending a plurality of packets to a host on the network; 

3 receiving a responsive plurality of packets from the host; 

4 comparing inferential information in the responsive packets to information stored 

5 in a database; and 

6 based on the comparison, identifying a plurality of network conditions, including 

7 a vulnerability of the network. 

' 31- (Previouslypresented) A memc>d of examining a network, comprising: 

2 sending packets to a host on the network; 

3 receiving responsive packets from the host; 

4 comparing inferential information in the responsive packets to information stored 

5 in a database; and 
based on the comparison, identifying a trojan application on the network. 



6 



1 32. (Previouslypresented) A memod of examining a nerwork, comprising: 

2 sending packets to a host on the network; 

3 receiving responsive packets from the host; 

4 comparing inferential information in the responsive packets to information stored 

5 in a database; and 

6 based on the comparison, identifying unauthorized software use on the network. 
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' 33. (Previously presented) A method of examining a network, comprising: 

2 sending packets to a host on the network; 

receiving responsive packets from the host; 

comparing inferential information in the responsive packets to information stored 
5 in a database; and 

based on the comparison, inferring an unknown vulnerability. 



1 34. (Previously presented) A method of examining a network, comprising: 

2 sending packets to a host on the network; 

3 receiving responsive packets from the host; 

4 comparing inferential information in the responsive packets to information stored 

5 in a database; and 

6 based on the comparison, identifying a security policy violation. 
l 35. (Canceled) 



/ 36. 



9 
10 
11 
12 
13 
14 



(Currently amended) A system for examining a network, comprising: 



a database i ncluding q sot of reflex signatures; 

a packet generator tojgnerate and transmit » of test nackPts t« a remote 

on the network, at least nan the set of test packets mcluriinp h-A~ 
information t0 generate a response from the remote host that v*ri~ 
depending upon at least one of an operating system a n d a service nr. th* 

7 remote host: 

8 a database including a set of reflex signatures rnng sponding tn fl nWslity 
operating system s and a p lur ality of service- anj 

a comparison unit torece ive a set of reflex narfcets from the remnt* hn«t 

responsive to the test packets, and in commi m icatinn with the database tn 
compare inferential in formation c onta ined in the set reflex naclrets m 
the set of reflex signatures in ottW tn id entify at ^ t ^ of the np >rarinfy 

system and me service and associated vulnerahilities in m 

15 with the packet gancrator and the databl e ? 
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16 ^ 'hnrni n tho pacha ^ nn rn toi i, J u ^u u J l n m „ Uai ijlJl it „ pluiQlkj o f 

17 test packets to the network? 

18 " ' ^ i ntoo com p a x h nti n r.it i> Jul ^ u !, ,, r p rn >n resp uiui H-p n ckots floin I k, 
n rtww ri c and to com r n r r i,ig I U i U u l iiif u r mntinn H u m ih u A c flmc sinnaiu^ , 



20 3B4 



2/ 
22 



; 

2 
5 



5 



/; 

12 



netw orl r bcuod on iu, u uui p nrir on of pocLq i nfo rmation mdi i n fl o w 



2J signatures ? 



37. (Currently amended) The system of claim 36, wherein the comparison 
unit is forther designed to identify an operating system type, version, and patch level and 
a service type, version, and patch level of the remote host n hnrrt on thcuctwoiL 



' 38. (Currently amended) The system of claim 36, wherein the comparison 

2 unit is designed to provide feedback information to the packet generator, and wherein the 

1 packet generator is designed to use the feedback information to selectively generate test 
4 packets within the set of test p ackets 

' 39. (Currently amended) A computer readable medium, having instructions 

2 stored therein, which, when executed by a computer, causes the computer to perform the 

3 steps of: 

4 identifying an operating system of a remote host based on communications with 

3 the remote host through the network, including identifying a version of the 

operating system; 

7 identifying a service on The port and a service of the remote host based on 

communications with the remote host through the network, including 
9 identifying a version of the service; and 

identifying a vulnerability of the network based on information obtained from the 
identified operating system fl nd the identified sarvW ^ „f h- ,,, ^ iuL 
n n operating system and identifying a soi-vioe . 
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* 40. (Currently amended) The computer readable medium of claim 39, 

2 wherein: 



J 

4 
5 



t r r instructio n fi u identifying an operating system further includes 

fe* identifying a patch level of the operating system; and 
the instructi o n^ identifying a service farther includes iasfruetioas-fer 
6 identifying a patch level of the service. 

' 41. (Currently amended) The computer readable medium of claim 39, 

2 wherein: 

A«iep^identifyin 8 an operating system includes sending a first set of packets 
to the remote host and receiving a second set of packets from the remote 
host in response to the said first set of packets, and anal wi™,*. * a 

6 . set of packets for inferential information ince pt ive of the nv t ^ finft 

7 system: and 

thenste^ef identifying a service includes sending a third set of packets to the 

remote host and receiving a fourth set of packets from the remote host in 
response to the said third set of packets, wherein information contained i 
the said third set of packets is based on information received in the said 
second set of packets, and analvrinpr th„ f™,^ set 6f p flrV , to fw 
23 inferential information indi cative of the Mwvir- 

t ho ^ r n fi d cu ifjii n . q .uln nnh ili^ ind uj ^ m rnp nrir^ infi , i u n Luntai u c d 



3 
4 
J 



8 
9 
10 
11 
12 



in 



14 

15 m tho second flc q nonoo of packet* jnd tho fourth ^ q urmco of podi u m, t o 

16 information in a database . 



1 42. (Canceled) 

' 43. (Currently amended) A method for use by a host on a network, 

2 comprising: 

receiving a first set of test packets from a remote equipment; 
aHJ6iaa ^ Sendin S a set of reflexive packets to die said remote equipment 
responsive to the first set of packets , the first set of reflexive packets 
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6 containing header information ^nnntnd , h h . ^ Xc Q Rcquoa r ^ 

7 ^ mmo mCPrCjpi utucu l nj id indicative of an operating system on the 

8 host, including a version and patch level; 

9 receiving a second set of t*«t ?a .w ^ Th - finf m ]w1 , , n ^ 

10 equipment; and 

// 

12 
13 
14 
15 
16 
17 



19 
20 



aatematfeaSy sending a second set of reflexive packets to the saki remote 

equipment responsive to the second set nf w r ^i-^ ^ secood ^ of 
reflexive packets containing header information conomtcd according tu a 
Request For Com me nt (PJQ ^lutucu ) and indicative of a service on the 
host, including a version and patch levels 
wh nrn m tho fust wt of roflmrivn p.nr W .^i . .^ i n f rrrn -, tinn Tl , , t ^ • 

n m iotg oquip inr nt to id e nt ify t ho n n nrnf rng ^ tuu on f hn h 0J t, in clu ding u 
18 wmion and a patch lovuL, 

n ^ r o in tho ic iu nJ mtf n f rcfloati > L pa rlr^n i nclud e ; ia formnt ion that tuu M u U ic 
fem n tn e quipment to id entif y ft p - o nioo on m c , hoct} im:iaaing Q t u w 
21 and a patch Iovok 

/ 44. (Currently amended) A method of examining a network, including: 

2 identifying an operating system of a remote host, including a version and a patch 

level of the operating system with a first set of packets, the first set of 
packets comprising an operating system packet to determine the operating 
system, an operating system version packet to determine the operating 
system version based on the determined operating system, and an. 
operating system patch level packet to determine the operating system 
patch level based on the determined operating system version; 
identifying a service of the remote host, including a version and a patch level of 
the service with a second set of packets based on the identified on^rinp 
syjterna ^ iit nnr nf Thn first „ u u fpati m ^ the first set of packets 
comprising a service packet to determine the service, a service version 
packet to determine the service version based on the detennined service, 



3 
4 

5 
6 
7 
8 
9 

10 

11 

12 

13 
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14 
15 
16 
17 



8 



1 
2 



1 



and a service patch level packet to determine the service patch level based 
on the determined service version; and 
identifying a vulnerability of the network based on information obtained from the 
steps of identifying an operating system and identifying a service. 



1 45. (Currently amended) A method of examining a network, including: 

2 identifying an operating system of a remote host, including a version and a patch 
3 

4 

5 

6 



level of the operating system, with responses to nonconforming data 
packets having nonconforming headers; 
identifying a service of the remote host, including a version and a patch level of 
the service^ with responses to the nonconforming data packets; and 
7 identifying a vulnerability of the network based on the identified operating system 

and the identified g*nri™» i^f^,^ nr , Tn { nrf1 fr 0mtll0 lbi]>l uf 
9 tdtaitifying an operating system and identifying q service r 

/ 46. (New) The method of claim 1, wherein identifying a service comprises 

2 directing the communications to ports of the remote host based on the identified 

3 operating system, 

/ 47. (New)Thememodofclaim2,wheremmemferefltialmfomiation 

2 comprises header information associated with the second set of packets, at least part of 

3 the header information being unique to the identified operating system. 



48. (New) The method of claim 2, wherein the inferential information 
comprises header information associated with the fourth set of packets, at least part of the 



3 header information being unique to the identified 



service. 



49. (New) The method of claim 4, wherein identifying a service further 



2 includes identifying a patch level of the service. 
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